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Abstract 

We develop a learning-based automated Assume-Guarantee (AG) reasoning framework for ver- 
ifying co-regular properties of concurrent systems. We study the applicability of non-circular (AG- 
NC) and circular (AG-C) AG proof rules in the context of systems with infinite behaviors. In particu- 
lar, we show that AG-NC is incomplete when assumptions are restricted to strictly infinite behaviors, 
while AG-C remains complete. We present a general formalization, called LAG, of the learning 
based automated AG paradigm. We show how existing approaches for automated AG reasoning are 
special instances of LAG. We develop two learning algorithms for a class of systems, called °°-regular 
systems, that combine finite and infinite behaviors. We show that for °°-regular systems, both AG- 
NC and AG-C are sound and complete. Finally, we show how to instantiate LAG to do automated 
AG reasoning for °°-regular, and co-regular, systems using both AG-NC and AG-C as proof rules. 

1 Introduction 

Compositional reasoning [8, 13] is a widely used technique for tackling the state space explosion problem 
while verifying concurrent systems. Assume-Guarantee (AG) is one of the most well-studied paradigms 
for compositional reasoning [19, 14], In AG-style analysis, we infer global properties of a system from 
the results of local analysis on its components. Typically, to analyze a system component C locally, we 
use an appropriate “assumption”, a model of the rest of the system that reflects the behavior expected by 
C from its environment in order to operate correctly. The goal of the local analyses is then to establish 
that every assumption made is also “guaranteed” - hence Assume-Guarantee. 

Since its inception [18, 16], the AG paradigm has been explored in several directions. However, a 
major challenge in automating AG reasoning is constructing appropriate assumptions. For realistic sys- 
tems, such assumptions are often complicated, and, therefore, constructing them manually is impractical. 
In this context, Cobleigh et al. [9] proposed the use of learning to automatically construct appropriate 
assumptions to verify a system composed of finite automata against a finite automaton specification (i.e., 
to verify safety properties). They used the following sound and complete AG proof rule: 

Mi || ACS M 2 CA 
Mi || Mi C S 

where Mi, M 2 , A and S arc finite automata, 1 1 is a parallel composition, and C denotes language contain- 
ment. The essential idea is to use the L* algorithm [2] to learn an assumption A that satisfies the premises 
of the rule, and implement the minimally adequate teacher required by L* via model-checking. 

The learning-based automated AG paradigm has been extended in several directions [6, 1,21]. How- 
ever, the question of whether this paradigm is applicable to verifying co-regular properties (i.e., liveness 
and safety) of reactive systems is open. In this paper, we answer this question in the affirmative. An 
automated AG framework requires: (i) an algorithm that uses queries and counterexamples to learn an 
appropriate assumption, and (ii) a set of sound and complete AG rules. Recently, a learning algorithm 
for co-regular languages has been proposed by Farzan et al. [10]. However, to our knowledge, the AG 
proof rules have not been extended to co-regular properties. This is the problem we address in this paper. 

First, we study the applicability of non -circular (AG-NC) and circular (AG-C) AG proof rules in the 
context of systems with infinite behaviors. We assume that processes synchronize on shared events and 
proceeding asynchronously otherwise, i.e., as in CSP [15]. We prove that, in this context, AG-NC is 
sound but incomplete when restricted to languages with strictly infinite behaviors (e.g., co-regular). This 
is surprising and interesting. In contrast, we show that AG-C is both sound and complete for co-regular 
languages. Second, we extend our AG proof rules to systems and specifications expressible in °o-regular 
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languages (i.e., unions of regular and co-regular languages). We show that both AG-C and AG-NC 
arc sound and complete in this case. To the best of our knowledge, these soundness and completeness 
results arc new. We develop two learning algorithms for °°-regular languages - one using a learning algo- 
rithm for co-regular languages (see Theorem 8(a)) with an augmented alphabet, and another combining 
a learning algorithm for co-regular languages with L* (see Theorem 8(b)) without alphabet augmenta- 
tion. Finally, we present a very general formalization, called LAG, of the learning based automated AG 
paradigm. We show how existing approaches for automated AG reasoning arc special instances of LAG. 
Furthermore, we show how to instantiate LAG to develop automated AG algorithms for °o-regular, and 
co-regular, languages using both AG-NC and AG-C as proof rules. 

The rest of the paper is structured as follows. We present the necessary background in Section 2. In 
Section 3, we review our model of concurrency. In Section 4, we study the soundness and completeness 
of AG rules, and present our LAG framework in Section 5. We conclude the paper with an overview of 
related work in Section 6. 

2 Preliminaries 

We write £* and £® for the set of all finite and infinite words over £, respectively, and write £°° for 
£* U£®. We use the standard notation of regular expressions: A for empty word, a • ft for concatenation, 
a*, a + , and a m for finite, finite and non-empty, and infinite repetition of a, respectively. When a £ £®, we 
define a-b = a. These operations are extended to sets in the usual way, e.g., X Y = {x-y\x £X /\y £LY}. 

Language. A language is a pair (L,£) such that £ is an alphabet and L C £“. The alphabet is an 
integral paid of a language. In particular, ({a}, {a}) and ({a}, {a, ft}) are different languages. However, 
for simplicity, we often refer to a language as L and mention £ separately. For instance, we write 
“language L over alphabet £” to mean the language (L,£), and £(L) to mean the alphabet of L. Union 
and intersection arc defined as usual, but only for languages over the same alphabet. The complement 
of L, denoted L, is defined as: L = £(L)“\L. A finitary language (£*-language) is a subset of £*. An 
infinitary language (£®-language) is a subset of £®. For L C £“, we write *{L) for the finitary language 
Ln£* and (0(L) for the infinitary language Lfl£®. Note that £(L) = £(*(L)) = £(co(L)) = £(L). 

Transition Systems. A labeled transition system (LTS) is a 4-tuple M = ( S,£,/rat, ft ), where ft is a 
finite set of states, £ is an alphabet, hilt C ft' is the set of initial states, and ft C ft x £ x ft' is a transition 
relation. We write s s' for (.v. a, s') £ ft, and £(M) for £. M is deterministic if \Init\ < 1, and 
Ms £ ft. Va £ £. |{V | s —> /}| < 1. A run r over a word w = OCo, oq, . . . , £ £(M)“ is a sequence of states 
so,si,..., such that Mi > 0 . .v, s (+1 . We write Firstar), Last(r ), and Inf{r ) to denote the first state 

of r, the last state of r (assuming r £ .S' ), and states that occur infinitely often in r (assuming r £ ft®), 
respectively. We write Rim(w, M) for the set of runs of w on M. 

Automata. A Finite Automaton (FA) is a 5-tuple A = (ft, £,/«/?, 8,F), where (S,£, I nil. 5) is an LTS and 
F C ft is a set of accepting states. The language accepted by A, «£?(A), is the set of all words w £ £* 
s.t. there exists a run r of w on A, with Firstar) £ hut A Last(r ) £ F. A BiichiAutomaton (BA) is a 
5-tuple B = (, ft,£,/wY, ft,F ), where (S,£,/wY, 5) is an LTS and F C ft is a set of accepting states. The 
language accepted by B, 2z?(fi), is the set of all words w £ £® s.t. there exists a run r of w on A with 
First(r) £ Init Alnf(r) C\F ^ 0. A BA or FA is deterministic if its underlying LTS is deterministic. 

Regularity. A language is regular (co-regular) iff it is accepted by a FA (BA). A language L C £“ is 
oo- regular iff *(L) is regular and co(L) is co-regular. Deterministic FA (DFA) and non-deterministic FA 
(NFA) arc equally expressive. Deterministic BA arc strictly less expressive than non-deterministic BA. 

Learning. A learning algorithm for a regular language is any algorithm that learns an unknown, but 
fixed, language U over a known alphabet £. Such an algorithm is called active if it works by querying a 
Minimally Adequate Teacher (MAT). The MAT can answer “Yes/No” to two types of queries about U : 
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Membership Query Given a word w, is w G U1 

Candidate Query Given an automaton B, is .Xf(B) = A? If the answer is “No”, the MAT returns a 
counterexample ( CE ), which is a word such that CE G Jz? (B) ©I/, where XQY = {X\Y) U (Y\X). 

An active learning algorithm begins by asking membership queries of the MAT until it constructs a 
candidate, with which it make a candidate query. If the candidate query is successful, the algorithm 
terminates; otherwise it uses the CE returned by the MAT to construct additional membership queries. 
The family of active learning algorithms was originated by Angluin via L* [2] for learning a minimal 
DFA that accepts an unknown regular language. L* was further optimized by Rivest and Schapire [20]. 

The problem of learning a minimal automaton which accept an unknown co-regular language is still 
open. It is known [17] that for any language U one can learn in the limit an automaton that accepts U via 
the identification by enumeration approach proposed by Gold [12]. However, the automaton learned via 
enumeration may, in the worst case, be exponentially larger than the minimal automaton accepting U . 
Furthermore, there may be multiple minimal automata [17] accepting U . Maler et al. [17] have shown 
that L* can be extended to learn a minimal (Muller) automaton for a fragment of co-regular languages. 

Farzan et al. [10] show how to learn a Biichi automaton for an co-regular language U . Specifically, 
they use L* to learn the language (7$ = {w$v j u ■ v 0> G (/}, where $ is a fresh letter not in the alphabet 
of U . The language (7$ was shown to be regular by Calbrix et al. [4]. In the sequel, we refer to this 
algorithm as I A The complexity of L s is exponential in the minimal BA for U . Our LAG framework 
can use any active algorithm for learning co-regular languages. In particular, L s is an existing candidate. 

3 Model of Concurrency 

Let w be a word and £ an arbitrary alphabet. We write w \ £ for the projection of w onto £ defined 
recursively as follows (recall that X denotes the empty word): 


A 1 £ - A. (<,.„))£= A WE) if “ eE 

I u \ £ otherwise 

Clearly, both £* and £“ are closed under projection, but £® is not. For example, (a* ■ //" J {a}) = a*, and 
a* consists only of finite words. Projection preservers regularity. If L is a regular (°o-regular) language 
and £ is any alphabet, then LJ £ is also regular (oo-regular). 

A process is modeled by a language of all of its behaviors (or computations). Parallel composition 
(||) of two processes/languages synchronizes on common actions while executing local actions asyn- 
chronously. For languages (Li,£i) and (£ 2 , £ 2 ), A | A is the language over £1 U £2 defined as follows: 


A || A> = {w G (£1 U£ 2 )°° I w] £1 G Li Aw] £2 G L 2 } (def. of ||) 


Intuitively, L\ | £2 consists of all permutations of words from L\ and L 2 that have a common synchroniza- 
tion sequence. For example, (b* -a-b*)\\(c* -a-c*) is (b + c)*-a- ( b+c )*. Note that whenA andL 2 share 
an alphabet, the composition is their intersection; when their alphabets arc disjoint, the composition is 
their language shuffle. The set of £*, £®, and £“ languages arc all closed under parallel composition. 

Theorem 1 . The \ \ operator is associative, commutative, distributive over union and intersection. It is 
also monotone, i.e., for any two languages L\, Li. and L 3 : L2 CL 3 ^(L 1 ||L 2 )C(L 1 ||L 3 ). 

Let L\ and L2 be two languages such that £(A) D £(£ 2 ). We say that L\ is subsumed by L 2 , written 
A =7 L 2 , if L\ \ £(£ 2 ) C £ 2 . Let £5 be the language of a specification S, and Lm be the language of a 
system M. Then, M satisfies S, written M |= S, iff Lm A A- 
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4 Proof Rules for Assume-Guarantee Reasoning 

In this section, we study the applicability of a non-circular and a circular AG rule to proving properties of 
processes with infinite behaviors (e.g., reactive systems that neither terminate nor deadlock). These rules 
were shown to be sound and complete for systems with finite (i.e., in £*) behaviors by Barringer et al. [ 3 ]. 
In Section 4 . 1 , we show that the non-circular AG rule is sound for both £“ and £® behaviors. However, 
it is complete only when the assumptions are allowed to combine both finite and infinite behaviors (i.e., 
in £“). In Section 4 . 2 , we show that the circular AG rule is sound and complete for £® and £“ behaviors. 

4.1 Non-Circular Assume-Guarantee Rule 

The non -circular AG proof rule (AG-NC for short) is stated as follows: 

(£i |[ L a ) =4 Ls £2 ==? La 
(£1 || £2) =( £s 

where L\, L 2 , Ls, and La arc languages with the alphabets £1, £2, £5, £a, respectively, £5 C (£] u£2), 
and £a = (£1 U£s) n£2- AG-NC is known to be sound and complete for £*-languages. Intuitively, it says 
that if there exists an assumption La such that: (a) L\ composed with La is contained in Ls, and (b) Li is 
contained in La, then the composition of L\ with Li is contained in Ls as well. Note that the alphabet £4 
is the smallest alphabet containing: (a) actions at the interface between L \ and Li, i.e., actions common 
to the alphabets of L\ and L 2 , and (b) external actions of Li, i.e., actions common to the alphabets of Li 
and Ls . Any smaller alphabet makes the rule trivially incomplete; any larger alphabet exposes internal 
(i.e., non-external) actions of L 2 . It is not surprising that AG-NC remains sound even when applied to 
languages with infinite words. However, AG-NC is incomplete when La is restricted to £®-languages: 

Theorem 2 . There exists L\.L 2 . Ls C £® such that (L\ | |Z>2 ) £ Ls, but there does not exists an assumption 
La C £® that satisfies all of the premises of AG-NC. 

Proof. By example. Let L\, L 2, Ls, and their alphabets be defined as follows: 

£1 = {a,b) £2 = {a,c} £5 = {a,b} L { = (a + b) m L 2 =a*c a L s ={a + b)*b w 

The conclusion of AG-NC rule is satisfied since (L\ \ \L 2 ) \ £5 = (a + b)*b m = Ls. The alphabet £a of La 
is (£1 U£s) n £ 2 = {a}. Since La C £®, it can only be a m or 0 . The only way to satisfy the first premise 
of AG-NC is to let La = 0 , but this is too strong to satisfy the second premise. □ 

Note that the proof of Theorem 2 shows that AG-NC is incomplete even for 00-regular languages. 

Remark 1 . One may conjecture that the AG-NC rule becomes complete for £® if subsumption is rede- 
fined to only consider infinite words. That is, by redefining subsumption as: L\ £ L2 ( 0 {L\ \ £(£2)) C 
L 2 . However, under this interpretation, AG-NC is no longer sound. For example, let the languages L\, 
£2, Ls, and their alphabets be defined as follows: 

£1 ={a,b} £2 = {a,c} L s = {a,b} L { = (a + b) w L 2 = a*c a L s = b w 

Then, the conclusion of AG-NC does not hold: co((L\ \ \L 2 ) \ £5) = (a + b)*b a % b m . But La = 0 satisfies 
both premises: (£1 1 |£a) = b°\ and ft)(£2j {a}) = £a- 

Remark 2 . AG-NC is complete if the alphabet £a is redefined to be £1 LJ £0. However, in this case the 
rule is no longer “compositional” since the assumption La can be as expressive as the component Li. 

Intuitively, AG-NC is incomplete for £® because £® is not closed under projection. However, we 
show that the rule is complete for £“ - the smallest projection-closed extension of £®. We first show that 
for any languages L\ and Ls, there always exists a unique weakest assumption La, such that Li | |La £ £5. 
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Theorem 3 . Let L\ and L$ be two languages, and La be any alphabet s. t. L(L \ ) U La = L{L \ ) U L[L$). 
Then, La = {w E L A | (£i||{w}) £5} satisfies L\ \\La ^ L$, and is the weakest such assumption. 

Proof. Let us write £1, £5 and £15 to mean £(Lj), £(£5) and £(Li) U £(£<,) respectively. To show 
that La is a valid assumption, pick any w E L\ || L.\ . Then wj La E La- This implies that wj £5 E 
(L\ || {w J £a}) J £s C L5. Since w is any word in L\ || La, we have L\ || La V L$. To show that La is the 
weakest assumption, let ^A<= L A be any language such that L\ || L 'a < Ls and let w be any word in L' A . 
Then, (L\ || {w}) C (L\ |j L' a ) ^ L$. But this implies that w E La, and, therefore, L' a C La- □ 

Note that Lf subsumes both finite (L A ) and infinite (£“) words. Thus, if La is a £^ weakest assump- 
tion, then *(La) and co(La) are the weakest L A and £® assumptions, respectively. 

Theorem 4 . Let L\, Lo, Ls, and La be in £°°. Then, the AG-NC rule is sound and complete. 

Proof. The proof of soundness is trivial and is omitted. For the proof of completeness we only show 
the key step. Assume that L\\\Li ^ Ls, and let La be the weakest assumption such that £i||£a ^ £s- 
By Theorem 3 , La is well-defined and satisfies the first premise of AG-NC. The second premise holds 
because £2 J La C L a , and La is the weakest L A assumption (see Theorem 3 ). □ 

Theorem 4 implies that AG-NC is sound for any fragment of £“. Of course, this is not true for 
completeness of the rule. For practical purposes, we would like to know that the rule remains complete 
when its languages are restricted to the regular subset. We show that this is so by showing that under the 
assumption that L\ and £5 are regular, the weakest assumption is regular as well. 

Theorem 5 . Let L\ and Ls be two languages, and La be any alphabet such that £(£1) U La = £(£1) U 

£(£5). Then, La C £J is the weakest assumption such that L\ \ \ La ^ £5 iff La = (£1 || Ls) \ LA- 

Proof. Let us write £1, £5 and £15 to mean £(£1), £(£5) and £(£| ) U£(£v), respectively. For any w E L A : 

w E (£ 1 |j L s ) J L a iff Vw' G £“ s . {w'} ^ {w} w' fL (£1 |j £5) 
iff Vw' E £j° s . {w'} ^ {w} ==> ({w'} ^ L\ V {w'} ^ Ls) 
iff Vw' € £T 5 ■ ({w'} ^ {w} A {w'} ^ £1) =► {w'} ^ L s 

iff Vw' E £“ 5 . ({w'} ^ (£1 || {w})) ==> {w'} ^ £5 iff L\ || {w} ^ L s 

Together with Theorem 3 , this completes the proof. □ 

Theorem 5 implies AG-NC is complete for any class of languages closed under complementation 
and projection, e.g., regular and °o-regular languages. In addition. Theorem 5 implies that learning- 
based automated AG reasoning is effective for any class of languages whose weakest assumptions fall in 
a “learnable” fragment. In particular, this holds for regular, to -regular and °o-regular languages. 

4.2 Circular Assume- Guarantee Rule 

The Circular Assume-Guarantee proof rule (AG-C for short) is stated as follows: 

(£1 || Lai ) =4 Ls (£2 |[ £ a 2) ==? £5 (£ai || £ a 2) ==? £5 
(£1 || £2) ^ £5 

where L\, £2, and £5 are languages over alphabets £1, £2, £5, respectively; £5 C £j U£2, and £ai and 
£a 2 share a common alphabet La = (£1 H £2 ) U £$. AG-C is known to be sound and complete for £*- 
languages. Note that in comparison with AG-NC, there are two assumptions £ai and La2 over a larger 
alphabet La. Informally, the rule is sound for the following reason. Let w be a word in £ 1 1 1 £2 , and 
u = w \L a- Then u & Lai, or u E Lai, or u E £,\i U£a2 = (£ai||£a 2)- If u E £ai then the first premise 
implies that {w} =$ £i||{m} =<! £5; if u G £a 2 then the second premise implies that {w} V £2 1 1 {^} V Ls', 
otherwise, the third premise implies that {w} A {«} V Ls. 
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Remark 3 . Note that the assumption alphabet for AG-C is larger than AG-NC. In fact, using Eai = 
(El U E s) 0 E? and Ea 2 = (E? U Ej) 0 Ej makes AG-C incomplete. Indeed , let L\ = {aa} with Ei = {a}, 
L 2 = {bb} with E2 = {b} and L$ = {aab.abb.ab}. Note that L\ \\L2 =4 Ls- We show that no La 1 and 
L Al can satisfy the three premises of AG-C. Premise 1 =$■ b 0 L A t =>■ b G La,. Similarly, premise 2 
=> a f L,\ , =>■ a G La 2 . But then ah G L,\ \ \ |La 2 , violating premise 3 . 

In this section, we show that AG-C is sound and complete for both E® and E“ languages. First, 
we illustrate an application of the rule to the example from the proof of Theorem 2 . Let L\, L2, and Ls 
be E® languages as defined in the proof of Theorem 2 . In this case, the alphabet E,i is {a.b}. Letting 
Lai = {a + b)*b m , and La2 = (u + b ) (0 satisfies all three premises of the rule. 

Theorem 6. Let L\, L2, Ls, Lai, an d La2 be in E® or E°°. Then, the AG-C rule is sound and complete. 

Proof. The proof of soundness is sketched in the above discussion. For the proof of completeness we 
only show the key steps. Assume that Li||L 2 ==! Lj. Let Lai and La 2 be the weakest assumptions such 
that Li||Lai A Ls, and L2IILA2 A Ls, respectively. By Theorem 3 , both Lai and La 2 arc well-defined 
and satisfy the first and the second premises of AG-C, respectively. We prove the third premise by 
contradiction. Since Lai and La 2 have the same alphabet, (Lai||La2) = (Lai H L A i). Assume that (Lai H 
La2) ^ Ls . Then, there exists a word w G (Lai||La 2) such that w 0 Lai, and w ^ Lai, and wj E5 0 L5. 
By the definition of weakest assumption (see Theorem 3 ), Li||{w} f Ls and L2||{w} f Ls. Pick any 
vv’i G Li 1 1 {w} and w 2 G L2I |{w}. Let w\ = nq J Ei and w ' 2 = W2 J E2. We know that {w / 1 }||{vi^} C Li | |L2- 
Also, wG ({wUIKw'DJEa. Now since {h )/ 1 }||{w / 2 } CLi||L 2, we havewG (L| | IL2) J Ea- Since Es CEa, 
w J Ej G (Li | IL2) J E$. But wJE 5 £ Ls, which contradicts L\ | |L2 L5. □ 

The completeness paid of the proof of Theorem 6 is based on the existence of the weakest assumption. 
We already know from Theorem 5 , that the weakest assumption is (°°-,ft)-)regular if L\, L2, and Ls arc 
(oo-.oj-)rcgular, respectively. Thus, AG-C is complete for (°o-,co-)regular languages. Since AG-NC is 
incomplete for co-regular languages, a learning algorithm for co-regular languages (such as L $ ) cannot 
be applied directly for AG reasoning for co-regular systems and specifications. In the next section, we 
overcome this challenge by developing automated AG algorithms for °o- regular and co-regular languages. 

5 Automated Assume-Guarantee Reasoning 

In this section, we present our LAG framework, and its specific useful instances. LAG uses membership 
oracles, learners, and checkers, which we describe first. 

Definition 1 (Membership Oracle and Learner). A membership oracle Qfor a language U over alphabet 
E is a procedure that takes as input a word u G E“ and returns 0 or 1 such that Q(u ) = 1 u G U. We 
say that Q |= U. The set of all membership oracles is denoted by Oracle. Let .?/ be any set of automata. 
We write Learner^ to denote the set of all learners of type sf . Formally, a learner of type sF is a pair 
(Cand.LearnCE) such that: ( i) Cand : Oracle 1 — r sf is a procedure that takes a membership oracle as 
input and outputs a candidate C G ■?/, and (ii) LearnCE : E“ Learner^ is a procedure that takes a 
counterexample as input and returns a new learner of type si. For any learner P = (Cand, LearnCE) 
we write L.Cand and L.LearnCE to mean Cand and LearnCE respectively. 

Intuitively, a membership oracle is the fragment of a MAT that only answers membership queries, 
while a learner encapsulates an active learning algorithm that is able to construct candidates via mem- 
bership queries, and learn from counterexamples of candidate queries. 

Learning. Let U be any unknown language, Q be an oracle, and P he a learner. We say that (P, Q ) learns 
U if the following holds: if Q |= U, then there does not exist an infinite sequence of learners P A . P\ ,.. . and 
an infinite sequence of counterexamples CE \ , CE2 , . . . such that: (i) P A = P, (ii) Pj = L)_ 1 .LearnCE (CL,) 
for i > 0 , and (iii) CL) G _§? (L)_i .Cand(<2)) © U for i > 0 . 
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Input: P\ ...P k \ Learner^; Q\, Q k : Oracle; V : Checker ,^) 

forever do 

for i = 1 to k do C, := P,.Cand(g ; ) 

R := V(Ci,...,C k ) 

if (R = (FEEDBACK, i, CE )) then P, := E.LearnCE(CE) else return R 
Figure 1: Algorithm for overall LAG procedure. 

Definition 2 (Checker). Let .?/ be a set of automata, and k be an integer denoting the number of 
candidates. A checker of type (.(?/, k) is a procedure that takes as input k elements A \ ,. .. ,A k of r/f 
and returns either (i) SUCCESS, or (ii) a pair (FAILURE, CE) such that CE G £“, or (Hi) a triple 
(FEEDBACK. /', CE) such that l <i <k and CE £ £". We write Checker,,/^ to mean the set of all 
checkers of type (s/,k). 

Intuitively, a checker generalizes the fragment of a MAT that responds to candidate queries by 
handling multiple (specifically, k) candidates. This generalization is important for circular proof 
rules. The checker has three possible outputs: (i) SUCCESS if the overall verification succeeds; (ii) 
(FAILURE, CE) where CE is a real counterexample; (iii) (FEEDBACK, /, CE) where CE is a coun- 
terexample for the /-th candidate. 

5.1 LAG Procedure 

Our overall LAG procedure is presented in Fig. 1. We write A : T to mean that X is of type T”. LAG 
accepts a set of k membership oracles, k learners, and a checker, and repeats the following steps: 

1 . Constructs candidate automata Ci Q using the learners and oracles. 

2. Invokes the checker with the candidates constructed in Step 1 above. 

3. If the checker returns SUCCESS or (FAILURE, CE), then exits with this result. Otherwise, 
updates the appropriate learner with the feedback and repeats from Step 1. 

Theorem 7. LAG terminates if there exists languages U\, . . . ,U k such that: (i) Qj |= Uifor 1 <i<k, (ii) 
(Pi,Qi) learns Uifor l <i<k, and (iii) ifV (C\ . . . . ,C k ) = (FEEDBACK, i, CE), then CE G (C,j © U,-. 

Proof By contradiction. If LAG does not terminate there exists some P, such that E, .LearnCE is called 
infinitely often. This, together with assumptions (i) and (iii), contradicts (ii), i.e., (E,, Qj) learns U,-. □ 

5.2 Oracle, Learner, and Checker Instantiations 

We now describe various implementations of oracles, learners and checkers. We staid with the notion of 
an oracle for weakest assumptions. 

Oracle for Weakest Assumption. Let L\, L$ be any languages and £ be any alphabet. We write 
Q(L \ ,£$,£) to denote the oracle such that <2 (Ei,Es,£) |= ( L\ || L$) \ £. Q{L\,Ls,'L) is typically imple- 
mented viamodel checking since, by Theorems3 and5, Q(Li,Ls,L)(u) = 1 <^=^- hG£“AEi || {u}^,Ls. 

Learner Instantiations. In general, a learner E(L) is derived from an active learning algorithm L as 
follows: E(L) = (Cand,LearnCE) s.t. Cand = paid of L that constructs a candidate using membership 
queries, and LearnCE = paid of L that learns from a counterexample to a candidate query. 

Non-circular Checker. Let srf be a type of automata, and L\, Lo and Ls be any languages. Then 
Vnc{Li,L 2 ,Ls) is the checker of type (.c/, 1) defined in Fig. 2. Note that V(yc(L| .Lt.Ls) is based on the 
AG-NC proof rule. The following proposition about Vnc(Ei,L 2 ,Ls) will be used later. 

Proposition 1. If Vnc{Li,L 2 ,Ls)(A) returns SUCCESS, then L\ || L 2 A Ls. Other-wise, if 
Vnc(E[.L 2 ,Ls)(A) returns (FAILURE, CE), then CE is a valid counterexample to L\ || L 2 ^ Ls. Fi- 
nally, ifVifc{Li,L 2 ,Ls)(A) returns (FEEDBACK, 1,CE), then CE G Jt?(A) © (L\ || Ls) \ £. 
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Checker: V NC {L\,L 2 ,L S ) 

Checker: V c (Li,L 2 l L s ) 

Input: A: s/ 

Input: A\,A 2 :s/ 

if (L\ || Af(A)) © L s then 

for / = 1 , 2 do 

if L 2 © Jz f(A) then return SUCCESS 

if L t || Jf(Ai) ^L s then 

else 

let w be a CEX to L\ || (A,) © Ls 

let w be a CEX to L 2 © 2zf(A) 

return (FEEDBACK, Z, w J Z4) 

if Li {w} © Ls then 

if jgf(Ai) || JSf(A 2 ) © L s then return SUCCESS 

return (FEEDBACK, l,wj E(A)) 

else 

else 

let w be a CEX to 2z?(Ai) || Af (A 2 ) © L s 

let w' be a CEX to L\ || {w} © Ls 

return (FAILURE, W) 

for i = 1 , 2 do 

if Lj || {w} © L s then 

else 

return (FEEDBACK, ;,wj Lf 

let w be a CEX to (L x || Jf(A)) © L s 

else let vv,- be a CEX to L { | {w} © Ls 

return (FEEDBACK, l,w.| E(A)) 

pick vv' £ {wi} || {w 2 } 

return (FAILURE, vv') 


Figure 2: Fyc - a checker based on AG-NC; V(- - a checker based on AG-C. 

Circular Checker. Let s/ be a type of automata, and L\ , Li and L$ be any languages. Then Vc{L\ , Li , Ls) 
is the checker of type (s/, 2 ) defined in Fig. 2. Note that Vc(L\,L 2 ,Ls) is based on the AG-C proof rule. 
The following proposition about Vc(L\,L 2 ,Ls) will be used later. 

Proposition 2 . If Vc(L\,L 2 ,Ls)(A\,A 2 ) returns SUCCESS, then L\ || L2 © Ls. Other-wise, if 
Vc(L u L 2 ,Ls)(A u A 2 ) returns (FAILURE. CE), then CE is a valid counterexample to L \ |j L 2 © Ls- 
Finally, ifVc(L\,L 2 ,Ls)(Ai,A 2 ) returns (FEEDBACK,/, CE), then CE E _Sf (A,-) © (L; |j L$) \ E. 

5.3 LAG Instantiations 

In this section, we present several instantiations of LAG for checking L\ || L 2 © L$. Our approach extends 
to systems with finitely many components, as for example in [9, 3]. 

Existing Work as LAG Instances: Regular Trace Containment. Table 1 instantiates LAG for existing 
learning-based algorithms for AG reasoning. The first row corresponds to the work of Cobleigh et al. [9] ; 
its termination and correctness follow from Theorem 7, Proposition 1 , and the fact that (Pi , Q \ ) learns the 
language (Li || L$) \ E. The second row corresponds to Barringer etal. [3] ; its termination and correctness 
follow from Theorem 7, Proposition 2, and the fact that (/), Q;) learns (L, || L$) \ E for i £ {1,2}. 

New Contribution: Learning Infinite Behavior. Let L® be any active learning algorithm for co-regular 
languages (e.g., L s ). Since AG-NC is incomplete for co-regular languages, L® is not applicable directly 
in this context. On the other hand, both AG-NC and AG-C arc sound and complete for °o-regular 
languages. Therefore, a learning algorithm for °o-regular languages yields LAG instances for systems 
with infinite behavior. We now present two such algorithms. The first (see Theorem 8 (a)) uses L® only, 
but augments the assumption alphabet. The second (see Theorem 8(b)) combines L® and L*, but leaves 
the assumption alphabet unchanged. We present both schemes since neither is objectively superior. 

Theorem 8. We can learn a 00 -regular language U using a MAT for U in two ways: ( a ) using only L® 
hut with alphabet augmentation, and (b) without alphabet augmentation, but using both L *and L®. 

Proof Part(a): Let E be the alphabet of U . We use L® to learn an co-regular language U' over the 
alphabet E 7 = EU {t} such that U' \ E = U, and z 0 E. Let U' = U • T®. We assume that the MAT 
X for U accepts membership queries of the form (M\,M 2 ) E DFA x BA, and returns “Yes” if U = 
«2?(Mi) UJf(M 2 ), and a CE otherwise. Then, a MAT for JJ' is implemented using X as follows: (i) 
Membership: u £ U' iff u E E°° • r® A u \ E E U , where u \ E £ U is decided using X ; (ii) Candidate 
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Conformance 

Rule 


Learner(s) 

Oracle(s) 

Checker 

Regular Trace 
Containment 

AG-NC 

[9] 

DFA 

P, = P(L*) 

Qi = Q{ l Ii L sXnc) 

Vnc(LuL 2 ,L s ) 

Regular Trace 
Containment 

AG-C 

[3] 

DFA 

Pi=P 2 = 
P(L*) 

Q l = G(Pi,Ps,E c ) 
Qi = G(P 2 ,P5,E C ) 

V c (L u L 2 ,L s ) 

oo-regular Trace 
Containment 

AG-NC 

DFA x BA 

II 

g 

Gi = Q{Li,L s ,I.nc) 

Vnc(Li,L 2 ,L s ) 

oo-regular Trace 
Containment 

AG-C 

DFA x BA 

Pi=P 2 = 
P(L) 

Gi = QiLi^s^c) 
Qi = Q(l 2 ,l s ,-l c ) 

VdLu^Ls) 

co-regular Trace 
Containment 

AG-NC 

DFA x BA 

Pi=P(L) 

Gi = Q(Li,L s Xnc ) 

Vnc(Li,L 2 ,L s ) 

co-regular Trace 
Containment 

AG-C 

BA 

Pi=P 2 = 
P(L®) 

Gi = QiLuLs^c) 
G 2 = Q(l 2 ,l s ,Zc) 

V c (L u L 2 ,L s ) 


Table 1: Existing learning-based AG algorithms as instances of LAG; E^c = (E(Li) IJ E( L<, ) ) ClE(L 2 ); 
Ef = (E(Li) GE(L 2 )) UE(Ls); L is a learning algorithm from Theorem 8. 

with C'\ If Jf(C') <2 E" • T®, return CP 7 G \E°° ■ T®. Otherwise, make a candidate query to X with 

(Mi , M 2 ) such that 2z? (Mi ) = * (C 1 \ E) and 2z? (M 2 ) = co (C’ \ E) , and turn any CE to CE ] = CE • T®. 

Part(b): We use L* to learn *(U) and L® to learn co(U). We assume that the MAT X for U accepts 
membership queries of the form (Mi ,M 2 ) G DFA x BA, and returns “Yes” if U = Jzf(Mi) U Jz?(M 2 ), and 
a CE otherwise. We run L* and L® concurrently, and iterate the two next steps: (1) answer membership 
queries with X until we get candidates Mi and M? from L* and L® respectively; (2) make candidate 
query (Mi ,M 2 ) to X\ return any finite (infinite) CE back to L* (L®); repeat from Step 1. □ 

LAG instances for °o-regular Trace Containment. Suppose that Li,L 2 and L$ are regular and we 
wish to verify Li | L 2 A L$. The third row of Table 1 show how to instantiate LAG to solve this problem 
using AG-NC. This instance of LAG terminates with the correct result due to Theorem 7, Proposition 1, 
and the fact that (Pi , Q \ ) learns (Li || L$) \ E. The fourth row of Table 1 show how to instantiate LAG to 
solve this problem using AG-C. This instance of LAG terminates correctly due to Theorem 7, Proposi- 
tion 2, and because (P,-, Q t ) learns (L,- || L$) J E for / G {1,2}. 

LAG instances for co-regular Trace Containment. Suppose that Li,L 2 and L$ are CO -regular and we 
wish to check L\ || L 2 ^ Lj. When using AG-NC, restricting assumptions to co-regular languages is 
incomplete (cf. Theorem 2). Hence, the situation is the same as for °°-regular languages (cf. row 5 
of Table 1). When using AG-C, restricting assumptions to be co-regular is complete (cf. Theorem 6). 
Hence, we use L® without augmenting the assumption alphabet, as summarized in row 6 of Table 1. This 
is a specific benefit of the restriction to co-regular languages. This instance terminates with the correct 
result due to Theorem 7, Proposition 2, and because (P,-, Qi) learns (L, || L$) \ E for / G {1,2}. 

6 Related Work and Conclusion 

Automated AG reasoning with automata-based learning was pioneered by Cobleigh et al. [9] for checking 
safety properties of finite state systems. In this context, Barringer et al. [3] investigate the soundness 
and completeness of a number of decomposition proof rules, and Wang [23] proposed a framework for 
automatic derivation of sound decomposition rules. Here, we extend the AG reasoning paradigm to 
arbitrary co-regular properties (i.e., both safety and liveness) using both non-circular and circular rules. 

The idea behind (particular instances of) Theorem 5 is used implicitly in almost all existing work on 
automated assume-guarantee reasoning [9, 6, 7]. However, we arc not aware of an explicit closed-form 
treatment of the weakest assumption in a general setting such as ours. 

The learning -based automated AG reasoning paradigm has been extended to check simulation [5] and 
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deadlock [6]. Alur et al. [1], and Sinha et al. [21], have investigated symbolic and lazy SAT-based im- 
plementations, respectively. Tsay and Wang [22] show that verification of safety properties of °o-regular 
systems is reducible the standard AG framework. In contrast, our focus is on the verification of arbitrary 
co-regular-properties of co-regular-systems. 

In summary, we present a very general formalization, called LAG, of the learning-based automated 
AG paradigm. We instantiate LAG to verify co-regular properties of reactive systems with co-regular 
behavior. We also show how existing approaches for automated AG reasoning are special instances of 
LAG. In addition, we prove the soundness and completeness of circular and non-circular AG proof rules 
in the context of co-regular languages. Recently, techniques to reduce the number of queries [7], and 
refine the assumption alphabet [11], have been proposed in the context of using automated AG to verify 
safety properties. We believe that these techniques are applicable for co-regular-properties as well. 
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